Jesse60905 Posted October 14, 2007 Share Posted October 14, 2007 Ok I need some clarification on securing my game. So far I have almost finished adding striptags to all of my user-inputted fields. Here is the info I need to know. What is the difference between striptags and mysql_real_escape_string? Is striptags better or worse then mysql_real_escape_string? How would I go about starting to secure my game from header injections*? If somebody could give some clarification on these subjects so I can start work on it that would be awesome. Thanks, Jesse B. * - May be something else. Hopefully you will understand what I mean. Quote Link to comment Share on other sites More sharing options...
Isomerizer Posted October 15, 2007 Share Posted October 15, 2007 Re: Just want some advice on securing my game. Securing against header injections is pretty simple.. $headerinject = array("Content-Type:", "MIME-Version:", "Content-Transfer-Encoding:", "bcc:", "cc:"); foreach($_POST as $k => $v){ foreach($headerinject as $v2){ if(strpos($v, $v2) !== false){ logBadRequest(); header("HTTP/1.0 403 Forbidden"); exit; } } } unset($k, $v, $v2, $allowed, $headerinject); Alot of these security functions can be found on google. ^^^ Was, just edited a little bit. Quote Link to comment Share on other sites More sharing options...
Jesse60905 Posted October 16, 2007 Author Share Posted October 16, 2007 Re: Just want some advice on securing my game. Thanks. $headerinject = array("Content-Type:", "MIME-Version:", "Content-Transfer-Encoding:", "bcc:", "cc:"); foreach($_POST as $k => $v){ foreach($headerinject as $v2){ if(strpos($v, $v2) !== false){ logBadRequest(); header("HTTP/1.0 403 Forbidden"); exit; } } } unset($k, $v, $v2, $allowed, $headerinject); I take it I put that in header? I'm gonna test it now anyways. Quote Link to comment Share on other sites More sharing options...
Jesse60905 Posted October 21, 2007 Author Share Posted October 21, 2007 Re: Just want some advice on securing my game. What is the difference between striptags and mysql_real_escape_string? Is striptags better or worse then mysql_real_escape_string? Can somebody clarify on these questions? Quote Link to comment Share on other sites More sharing options...
hamster01 Posted October 21, 2007 Share Posted October 21, 2007 Re: Just want some advice on securing my game. strip_tags and mysql_real_escape_string Quote Link to comment Share on other sites More sharing options...
Jesse60905 Posted October 22, 2007 Author Share Posted October 22, 2007 Re: Just want some advice on securing my game. Ok. Can somebody just give their opinion on which is better? I am leaning towards striptags but I want to be 100% sure. Quote Link to comment Share on other sites More sharing options...
hamster01 Posted October 22, 2007 Share Posted October 22, 2007 Re: Just want some advice on securing my game. They both serve different purposes. strip_tags: It removed XSS and other various code injections. mysql_real_escape_string: Almost alike magic_quotes and addslashes. Now google it if you need more technical info about it. Quote Link to comment Share on other sites More sharing options...
carlg Posted November 11, 2007 Share Posted November 11, 2007 Re: Just want some advice on securing my game. where would one put this code in the header? Quote Link to comment Share on other sites More sharing options...
Jesse60905 Posted November 11, 2007 Author Share Posted November 11, 2007 Re: Just want some advice on securing my game. I think before: function userdata($ir,$lv,$fm,$cm,$dosessh=1) { global $db,$c,$userid, $set; $IP = ($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; $db->query("UPDATE users SET laston=unix_timestamp(),lastip='$IP' WHERE userid=$userid"); if(!$ir['email']) { global $domain; die ("<body>Your account may be broken. Please mail admin@{$domain} stating your username and player ID."); } if($dosessh && ($_SESSION['attacking'] || $ir['attacking'])) { print "You lost all your EXP for running from the fight."; $db->query("UPDATE users SET exp=0,attacking=0 WHERE userid=$userid"); $_SESSION['attacking']=0; } $enperc=(int) ($ir['energy']/$ir['maxenergy']*100); $wiperc=(int) ($ir['will']/$ir['maxwill']*100); $experc=(int) ( $ir['exp']/$ir['exp_needed']*100); $brperc=(int) ($ir['brave']/$ir['maxbrave']*100); $hpperc=(int) ($ir['hp']/$ir['maxhp']*100); $enopp=100-$enperc; $wiopp=100-$wiperc; $exopp=100-$experc; $bropp=100-$brperc; $hpopp=100-$hpperc; $d=""; $u=$ir['username']; if($ir['donatordays']) { $u = "[b]{$ir['username']}[/b]";$d="[img=donator.gif]"; } Quote Link to comment Share on other sites More sharing options...
Isomerizer Posted November 12, 2007 Share Posted November 12, 2007 Re: Just want some advice on securing my game. For security functions I'd put in global func's or maybe include a security.php into mysql.php so that the functions are included on all pages. Quote Link to comment Share on other sites More sharing options...
Jesse60905 Posted November 12, 2007 Author Share Posted November 12, 2007 Re: Just want some advice on securing my game. True... Quote Link to comment Share on other sites More sharing options...
HITMAN 17 Posted November 13, 2007 Share Posted November 13, 2007 Re: Just want some advice on securing my game. Thanks. $headerinject = array("Content-Type:", "MIME-Version:", "Content-Transfer-Encoding:", "bcc:", "cc:"); foreach($_POST as $k => $v){ foreach($headerinject as $v2){ if(strpos($v, $v2) !== false){ logBadRequest(); header("HTTP/1.0 403 Forbidden"); exit; } } } unset($k, $v, $v2, $allowed, $headerinject); I take it I put that in header? I'm gonna test it now anyways. did it work when u put it in header Quote Link to comment Share on other sites More sharing options...
dementor Posted November 13, 2007 Share Posted November 13, 2007 Re: Just want some advice on securing my game. u dont know till u get a securiy breach :-) if u get one Quote Link to comment Share on other sites More sharing options...
Isomerizer Posted November 13, 2007 Share Posted November 13, 2007 Re: Just want some advice on securing my game. Thanks. $headerinject = array("Content-Type:", "MIME-Version:", "Content-Transfer-Encoding:", "bcc:", "cc:"); foreach($_POST as $k => $v){ foreach($headerinject as $v2){ if(strpos($v, $v2) !== false){ logBadRequest(); header("HTTP/1.0 403 Forbidden"); exit; } } } unset($k, $v, $v2, $allowed, $headerinject); I take it I put that in header? I'm gonna test it now anyways. did it work when u put it in header You've been told where to put it... For security functions I'd put in global func's or maybe include a security.php into mysql.php so that the functions are included on all pages. Quote Link to comment Share on other sites More sharing options...
nypthamine Posted February 15, 2008 Share Posted February 15, 2008 Re: Just want some advice on securing my game. how to test it weather it works or not? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.